Lazarus Group Uses New Tactic to Evade Detection

3 weeks ago 39

Attackers conceal malicious codification wrong a BMP record to gaffe past information tools designed to observe embedded objects wrong images.

Security researchers with Malwarebytes person observed North Korea-affiliated precocious persistent threat actor Lazarus Group employing a caller method to present malware portion evading information tools.

Lazarus Group, an progressive and blase radical known for attacking targets astir the world, recently expanded its superior ngo beyond monetary theft to see stealing defence secrets. The radical is known for processing customized malware families and utilizing caller tactics.

One of its newest methods involves embedding a malicious HTML Application (HTA) record wrong a compressed zlib file, wrong a PNG file. During tally time, the PNG record is converted into a BMP record format. Because the BMP record is uncompressed, converting from PNG to BMP automatically decompresses the malicious zlib object. Researchers telephone this a clever mode to evade detection. Because the malicious entity is compressed wrong the PNG image, it bypasses static detection.

This onslaught apt started with a phishing run successful which emails arrives with a malicious record attached. When opened, the record prompts its spectator to alteration macros. Doing this volition pb to a connection box; clicking this volition load the last phishing lure — a information signifier for a just successful a South Korean city. The papers is weaponized with a macro that executes erstwhile it's opened.

While attribution is consistently a situation successful cyberattacks, the squad recovered respective signs that link this enactment with Lazarus Group, arsenic outlined successful a blog station connected their findings.

"There are respective similarities betwixt this onslaught and past Lazarus operations and we judge these are beardown indicators to property this onslaught to the Lazarus menace actor," writes Hossein Jazi, elder menace quality analyst.

Read the full blog post for much information.

Dark Reading's Quick Hits delivers a little synopsis and summary of the value of breaking quality events. For much accusation from the archetypal root of the quality item, delight travel the nexus provided successful this article. View Full Bio

More Insights

Register for Dark Reading Newsletters

2021 Top Enterprise IT Trends

We've identified the cardinal trends that are poised to interaction the IT scenery successful 2021. Find retired wherefore they're important and however they volition impact you today!

Flash Poll

Dark Reading - Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2021-29458
PUBLISHED: 2021-04-19

Exiv2 is simply a command-line inferior and C++ room for reading, writing, deleting, and modifying the metadata of representation files. An out-of-bounds work was recovered successful Exiv2 versions v0.27.3 and earlier. The out-of-bounds work is triggered erstwhile Exiv2 is utilized to constitute metadata into a crafted representation file. An att...

CVE-2021-31254
PUBLISHED: 2021-04-19

Buffer overflow successful the tenc_box_read relation successful MP4Box successful GPAC 1.0.1 allows attackers to origin a denial of work oregon execute arbitrary codification via a crafted file, related invalid IV sizes.

CVE-2021-31255
PUBLISHED: 2021-04-19

Buffer overflow successful the abst_box_read relation successful MP4Box successful GPAC 1.0.1 allows attackers to origin a denial of work oregon execute arbitrary codification via a crafted file.

CVE-2021-31256
PUBLISHED: 2021-04-19

Memory leak successful the stbl_GetSampleInfos relation successful MP4Box successful GPAC 1.0.1 allows attackers to work representation via a crafted file.

CVE-2021-31257
PUBLISHED: 2021-04-19

The HintFile relation successful GPAC 1.0.1 allows attackers to origin a denial of work (NULL pointer dereference) via a crafted record successful the MP4Box command.

Read Entire Article